Currently, usernetctl does not make any attempt to cooperate with
SELinux and runs all scripts in the originating context of the caller.
As a result, SELinux would not let ordinary users (or staff_r users
for that matter) to control the USERCTL=yes devices.
initscripts-7.48-1 policy-1.9-6

Update: when running in enforcing mode with policy-1.9-11, the staff_r
can control the USERCTL=yes devices.
Hopefully we just need to:
- Check that the user_r works too (assuming it is desirable).
- Add dontaudit for messages that get generated.